[ISN] Johnson & Johnson tackles security pain

From: InfoSec News (isn@private)
Date: Thu Mar 17 2005 - 23:36:44 PST


By Ellen Messmer
Network World

For Johnson & Johnson, the health-care giant with more than 200
separate companies operating in 54 countries, one of the biggest
problems encountered in e-commerce was finding a way to quickly get
business partners access to the network but enforce security.

The problem vexed the Brunswick, N.J., maker of pharmaceuticals and
medical equipment because e-commerce partners, once given access,
sometimes introduced worms and viruses into the company's network. In
addition, the process of reviewing business requests for network
access between a J&J unit and its intended partner had become
burdensome, delaying e-commerce transactions.

However, IT staff at J&J said since new security procedures put in
place a year ago altered the equation, it has been much faster to
process network-access requests. Through the uniform monitoring and
documentation processes, security has improved, with worm and virus
outbreaks emanating from business partners reduced to nil.

"The documentation is still a bit cumbersome, but now it's a
repeatable process," says Thomas Bunt, director of worldwide
information security at J&J, about the challenge of providing network
access for business partners. "We're facing an increased demand for
external connections, and it wasn't easy to do this."

When a business manager at J&J wants to have counterparts in outside
firms gain access to internal applications for e-commerce, the IT
department is summoned to assess risk.

First, the J&J unit and the outside firm have to fill out a detailed
questionnaire about the nature of the connection request, says Denise
Medd, information security senior analyst. In addition, J&J expects
the intended e-commerce partner to submit to a security assessment and

This vulnerability assessment may be done by a neutral third party,
but the goal is to ensure that doing business via the network
connection, which is typically opened up via J&J firewall, presents no
unnecessary risks. The J&J operating company, officially known as "the
sponsor," is held to the same standards, Medd emphasizes.

Occasionally, a request for network access is turned down, especially
if the J&J side has servers lacking proper patch-update mechanisms or
other shortcomings. "There is a final review, and we will not let an
insecure connection go live," Medd says.

The IT and security professionals at J&J worked with the legal
department to craft standard procedures for requests and evaluations.  
J&J and its partner also must complete a contract or memo of
understanding regarding the network connection to be established.

"We'll look closely at what the connectivity is, and typically a
limited number of people could have access," Bunt says, pointing out
that J&J strives to accommodate requests for a range of VPN access

J&J also includes an inspection process every six months to ascertain
the security of the network connection. The risk management procedure
has resulted in a dramatic drop in virus and worm outbreaks. Sometimes
business project managers grumble about the assessment process, but
management's solid backing of it has made it a uniformly enforced
process that is in effect with hundreds of outside firms, Bunt says.

The IT department says it hopes to streamline the risk evaluation
further by drawing up standardized interconnection security agreements
and uniform set of questions to ask outside firms wanting access to
J&J's internal network.

"We also need to better explain to our partners why they need to do
this and how they benefit by getting a good look at our security
posture," Bunt says.

Bellua Cyber Security Asia 2005 -

This archive was generated by hypermail 2.1.3 : Fri Mar 18 2005 - 03:00:22 PST